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WHAT IS CLAIMED IS: 

1 . A system comprising: 

aerating system providing at least one routine capable of being invoked, and said 

operating system operable to collect audit data for invoked operating system routines; 

data storage having collected audit data stored thereto in a first format; and 

5 software code executable by at least one processor to receive said collected audit data 

r^j and generate outpurcomprising at least a portion of said collected audit data in a desired 
5jj \ 

gjj format defined by a template, wherein said desired format is different than said first format. 

h 
m 

Ui 2. The system ofxlaim 1 wherein said template comprises at least one constant 

element. 



CP 3. The system of claim 2 wiierein said at least one constant element is included 

ru 

U3 verbatim in said output. 



The system of claim 1 wherein said template comprises at least one variable 




5. The system of claim 4 wherein said at least one variable element identifies a 
particular portion of the collected audit data to be included nV said output. 

6. The system of claim 5 wherein said at least one variable element identifies a 
location within said output at which said particular portion of the collected audit data is to be 
arranged. 
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^7. The system of claim 1 wherein said collected audit data comprises a record for 
each invocation of an operating system routine that is included within said collected audit 
data, and wierein each record includes at least one type of audit information relating to 
execution of an invoked operating system routine. 



8. The, system of claim 7 wherein said at least one type of audit information 
includes at least one\ype selected from the group consisting of: 

user identification, group identification, supplementary group identification, process 
identification, event identification, event count, event type, date, time, thread identification, 
system call, capabilities used, object, and result. 



9. The system of ct&im 7 wherein said template comprises at least one variable 
element that each identifies a particular type of audit information to be included in said 
output. 



1 0. The system of claim 1 wherein said template comprises at least one 
conditional element. 

1 1 . The system of claim 10 wherein saici^at least one conditional element dictates 
that said output is to have a particular format if a condvbipn is satisfied, otherwise said output 
is to have a different format. 

1 2. The system of claim 1 wherein said template defines a format selected from 
the group consisting of: 

plain text, markup language, and comma separated format. 

13. The system of claim 1 wherein said operating system com^ses a kernel-level 
audit device driver for collecting said audit data. 
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14. A computer program product for generating audit data in a desired format, said 

audnNteta relating to execution of a routine, said computer program product comprising a 

computer^readable storage medium having computer-readable program code embodied in 

said mediurW said computer readable program code comprising: 

5 code executable to access audit data stored in a data storage device, wherein said audit 

data comprises information relating to execution of at least one invoked routine; 

code executable to access an audit transformation template; and 

Q code executable ho generate output comprising at least a portion of said collected audit 

£! \ 

data, said output having a rhrmat defined by said audit transformation template. 

m 

*fi 15. The computer program product of claim 14 wherein said audit data is collected 

H 1 by an operating system. 

in \ 

=y 16. The computer program product of claim 14 wherein said at least one routine 

fuL^mcludes at least one invoked operating system routine. 



1 7. The computer program product of claim 16 wherein said at least one invoked 
operating system routine is invoked by an applicationVia system call. 

1 8. The computer program product of claim 16 wherein said at least one invoked 
operating system routine is invoked via user command. 

1 9. The computer program product of claim 14 wherein said audit transformation 
template comprises at least one constant element that is included verbatim in said output. 

20. The computer program product of claim 14 wherein said template comprises at 
least one variable elements. 
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2 l\ The computer program product of claim 20 wherein said collected audit data 
comprises a record for each invocation of an operating system routine that is included within 
said collected audit data, and wherein each record includes at least one type of audit 
information relating rs execution of an invoked operating system routine. 

22. The computer^program product of claim 2 1 wherein said at least one type of 
audit information includes at least one type selected from the group consisting of: 

user identification, group identification, supplementary group identification, process 
identification, event identification, eventscount, event type, date, time, thread identification, 
system call, capabilities used, object, and result. 

y 23. The computer program product of cHaim 22 wherein said audit data comprises 
iy Vnultiple ones of said record, further comprising: \ 
r\ code executable to sort at least a portion of the multiple records based on at least one 

\ of said types of audit information. \ 

24. The computer program product of claim 21 wherein said at least one variable 
element each identify a particular type of audit information to be included in said output. 

25. The computer program product of claim 14 wherein said template comprises at 
least one conditional element, and wherein said conditional element dictates thaf>said output 
is to have a first format if a condition is satisfied and have a different format if said condition 
is not satisfied. 
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16. A method of generating an output that includes collected audit data therein and 
has a desirW format, said method comprising the steps of: 

collecting audit data relating to the execution of one or more invoked routines; 
storing said collected audit data to a data storage device; 
accessing said collected audit data; 

accessing an audit transformation template that defines a desired format; and 
generating an output that includes at least a portion of said collected audit data, 

wherein said output comprises said desired format as defined by said audit transformation 

template. 

27. The method of claim 16 wherein said audit data comprises information about 
at least one invoked operating system routine. 

28. The method of claim 26 further comprising the step of: 
creating, by a user, said audit transformation template. 

29. The method of claim 26 wherein saiavaudit transformation template comprises 
at least one constant element that is included verbatim In said output. 

30. The method of claim 26 wherein said audit transformation template comprises 
at least one variable element. 



3 1 . The method of claim 30 wherein said at least one variable element identifies a 
particular type of audit information from said collected audit data to included in said 
output. 
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. 32. The method of claim 3 1 wherein said particular type of audit information 
includes at least one type selected from the group consisting of: 

useiudentification, group identification, supplementary group identification, process 
identification, eyent identification, event count, event type, date, time, thread identification, 
system call, capabilities used, object, and result. 



33. The method of claim 26 further comprising the step of 
presenting said output to abuser. 



34. The method of claim 26 furtheh^omprising the step of: 
storing said output to a file. 



35. The method of claim 26 further comprising the step of: 
inputting said output to an application for processingvby said application. 



36. The method of claim 26 further comprising the step\f: 
sorting said collected audit data based at least in part on at leasr^ne type of audit 
information included therein. 
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37. A library of software functions comprising: 

\function executable to access collected audit data, wherein said audit data comprises 
informatio*vabout at least one invoked routine of said operating system; 

function^sxecutable to access a template defining an output format; and 
function executable to generate output comprising at least a portion of said collected 
audit data, wherein said ourjaut has a format defined by said template. 

38. The library of claim 37 wfrerein said function executable to access collected 
audit data, said function executable to access a te^mplate, and said function executable to 
generate output are distinct functions. 

39. The library of claim 37 wherein said function executable to access collected 
audit data, said function executable to access a template, and said functibnexecutable to 
generate output are included within a common function. \ 
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